Environment Restrictions for Runbooks

Recently we’ve been expanding our use of runbooks and are considering providing the functionality for our developers. Currently our developers’ accounts are included in a couple teams which when combined, give them the rights they need but prevents them from deploying outside of Dev. Here’s a screenshot of a test user with Dev-level permissions (no QA options):

The same project has a runbook and when I go to run it, all of our non-Dev environments show up in the target environment drop-down (including Prod):

To be sure it wasn’t just the menu I selected one of our QA testing environments and executed the runbook and it ran. Is this expected behavior? If so it doesn’t look like we can allow our Developers to use runbooks. Please advise. Thnx.

Hi @ShannonN,

Thanks for reaching out on our community forum. You may need to evaluate the teams your developers are part of. A user is always granted the highest level permissions/scoping of the team they are part of. So if a user is on two teams and one is restricted, and the other isn’t, they will have the full permissions of the less restricted team, regardless of the restrictions placed on the other team.

It’s also possible that your users are only on one team, but the two roles you mentioned are scoped differently. You could have one role for regular deployments that are scoped to the proper environments as you’re expecting, and that team has a 2nd role assigned for the runbooks but that may not be scoped at all, so those permissions are unrestricted.

You’ll likely want to create one developer team, assign all the user roles you wish for them to have, then scope that team to only the development env for all user roles on that team. Then they should have the abilities you’re expecting.

Let us know if you have any other questions.

Best,
Brent

Thanks Brent

2 Likes

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.